Do you brush your teeth?
Yes, this article is going to be about dental hygiene and toothbrushes…
…as a metaphor to talk about digital hygiene.
As a kid, you learn from your parents that it is important to brush your teeth twice a day, to floss and avoid eating too much candy. If you do not do so, you will have cavities and other dental problems. It will hurt and you will spend a lot of time and money to get it fixed. You only get one set of adult teeth for your whole life, so if you don’t take care of them you will end up with false teeth or even dentures. In France, despite the risks involved, only half of the population brush their teeth twice a day. More than 25% declare that they had cavities in the past year. Dentists say that most people ignore how to properly use a toothbrush. Disturbingly, during the first lock down, sales of toothbrushes fell by 43%. Sure, it was more complicated to go shopping and buy toothbrushes, but were behaviors also impacted by us working from home in a remote digital setup, resulting in a general neglect for our dental hygiene?
Here is another story to show you how the physical and digital world can be intertwined.
In 2016, Dropbox discovered a hack that took place in 2012. 68 million accounts were stolen. The investigation concluded that the hacker had used an employee login and password which were stolen in a previous breach. The employee had used the same password at work and for his personal websites.
If you do not pay attention to your hygiene, a small and painful incident can become an even bigger nightmare.
There are billions of users and millions of businesses that rely on the internet today to access and transact with millions of digital service providers.
More and more, users are moving their data to the Cloud. By doing so, they each time provide a small subset of their digital identity. It is as if you spread around hundreds of copies of your id card, or your credit card, or even your social security card. Your digital footprint is all over the place.
The way Identity is built on the internet is wrong
In its current state, it is bad for users: you get the constant friction each time you need to register, log in, or check out. As a user, you have no idea what data is actually being captured, because on top of personal data you willingly provide, service providers will grab more personal details about you like your geographical location, your device type, your browsing history… Obviously many businesses rely on monetizing that data, either directly for advertisement, profiling, etc. or indirectly. And this becomes uncontrollable since hundreds of copies of your digital identity have been scattered across the cloud.
It is bad for digital service providers as well. The friction of the sign-up or the checkout funnel is a key business issue. Regulation is creating increasing risks and liabilities on those providers through policies like GDPR, CCPA, and cookie regulation. Consumers are becoming more and more wary of providers. They feel the internet has become a dangerous place.
Unfortunately, it is getting worse for everyone.
People are using more devices than ever, on average 3 or more. We have more digital accounts every year. The number of massive breaches is increasing. Every day the news is filled with stories about providers being hacked and user data having been leaked: Facebook (many time), Solarwinds, Clubhouse, Equifax, Colonial Pipeline…and many others.
Digital Identity is basically broken!
Finding solutions is a race against time, against hackers, but also against the Big Tech companies of the world.
In spite of the risks, most internet users still resort to crude methods to handle their digital identity.
- Only 15% of Americans use password managers, based on a survey Dashlane conducted in 2020.
- Almost 70% of internet users reset their passwords for their accounts on at least a monthly basis, and 18% do so on a weekly basis.
Few of them take any action to safeguard their identity whatsoever. Collectively, it feels like we have kind of given up, and accepted that this is the way things are. We accept to support both the risk and the burden.
It looks like the way we deal with our dental hygiene: we know the risks, we know the best practices and while we can learn how to reduce those risks, we don’t have the courage nor the discipline to address them.
By the time internet usage boomed, it was too late.
There was an inflexion point in 2007 with the appearance of the smartphones that multiplied access points to the Internet.
Estimates pointed out 50 billion connected devices in 2020 which all must handle some form of identity or authentication. That’s 50 billion possible points of failure where user data could be at risk.
Digital Identity is a Fragmented System
Truth is, it is a hard problem to solve. Digital Identity should be universal. It should be agnostic of any provider and work cross-platform. As you can use your passport to travel to any country in the world, you should have a digital equivalent. But the internet is totally fragmented. Big Tech giants cannot solve it on their own. They are focused on protecting their own walled garden, their own territory, not on fixing the broader issue.
It looks like the world of payments, which is largely fragmented as well with cash, credit cards, checks, online payments, and more recently, cryptocurrencies. There are about 180 different currencies in the world today.
Biometric methods such as using your fingerprints or facial recognition could be a potential savior, but:
- biometric systems can be faked.
- once your biometric data is compromised, what can you do?
- biometry is a device-specific solution. No standard or shared protocol has emerged yet.
- In the end, it only solves a small portion of use cases around authentication, not the broader use case of digital identity.
Another hope had been that those centralized mechanisms such as Facebook Connect or Login with Google would be the solution. It is definitely a convenience for users, but it underscores that you trust Big Techs by putting all your eggs in the same basket. Recent breaches have shown the limits of a centralized identity model. The size of the target by centralizing the digital identity of millions and millions of users makes it only a question of time before they get massively breached.
A few of my own passwords were leaked in the past, in the Dropbox breach or in the more recent Linkedin breach. Fortunately for me, at that time I had already started paying attention to my digital hygiene.
I had begun using Dashlane as a password manager. With that “toothbrush,” I was able to easily generate unique passwords for all my online services.
Today I have more than 1000 unique passwords. I do not know them. I just remember my Master Password, the key to my digital vault.
That limits the potential impact of those breaches for me when a site gets hacked. I just need to update the breached password. I still get email scams threatening me about old passwords of mine, but I simply ignore them.
I see the mission of Password Managers from a dentist’s point of view. Nobody likes to go to the dentist and brush their teeth every day. Alas, this is still the best solution to avoid cavities. Dentists show you how to use a toothbrush. It is up to you then to develop that discipline. To make that discipline part of your daily routine.
Another metaphor I like to use to describe digital hygiene is the car seat belt. Nobody today would think of removing their seat belt when driving on the highway. Why shouldn’t we do the same on the digital highway of the internet? It is better to be safe than sorry, even if it costs us a little convenience.
The impediment is that users do not care. They constantly hear of so many breaches on a day-to-day basis, that like for climate change news, they mainly stopped paying attention to it and act as if they were unconcerned.
Behavioral change is hard. Despite being aware of the climate critical situation and the well-known impact of car pollution, there are less than 2% of electrical vehicles in the market today.
There is also skepticism about potential solutions. No solution is perfect: electric cars are not going to be enough to solve the climate change crisis.
Password managers are not a magic solution for your digital hygiene either, but it is better than nothing. Their system is built so that you remain in total control of your data. Everything happens on your device, where your data is being encrypted, and the key, what we call the Master Password, is known only to you. This zero-knowledge architecture ensures that you are protected as a user. This solution is decentralized by design and is independent on any ecosystem. It works on all platforms in a universal way. I do believe it is important to be independent from Big Tech and have a choice. We are looking to be the Switzerland of Digital Identity.
What does the future of Digital Identity look like?
In the market today there are 3 main trends which aim to solve the problem of Digital Identity.
- The emergence of standardized identity protocols. Apple and Google have created their own proprietary solutions for the mobile ecosystems, iOS and Android. The W3C is promoting standards like WebAuthn for the web. But we are far away from universal solutions.
- Companies are prototyping decentralized identity systems. There are concepts like self-sovereign identity, the concept that an individual should own and control their identity without the intervening administrative authorities. Developers also play with Blockchain technology around digital identity.
- Finally, some third-party solutions like password managers and enterprise SSO try to become “digital identity providers” but it is still today a niche market.
None of them are perfect. None are universal.
Technical solutions won’t be enough to repair a broken Digital Identity. We need simpler, easy-to-use solutions that can be adopted by all. In today’s optimized life, security and tech cannot be the only trigger. Ev. Williams, the founder of Twitter and Medium, says, “Convenience decides everything”.
Our individual efforts can make a collective impact.
Start Owning & Improving your Digital Hygiene
I would like to share with you what I personally do and encourage you to move forward and start taking baby steps for your own digital hygiene.
- I obviously use a Password Manager, such as Dashlane.
- I use a safer web browser like Brave, which is better for privacy.
- I stopped using Google search engine. I actually decided to use Ecosia for ecological impact, more than privacy, but there are others privacy-focused search engines to choose from.
- I deleted my Facebook account a while ago, and I migrated from WhatsApp to Signal.
- I have moved away from Gmail, and I am using Fastmail, an independent email provider.
In so doing, step by step, I am regaining control of my digital identity.
So can you, to improve the management and control of your digital identity and help us fix and make the internet a safer place.
If I may, I would like to use a provocative parallel in today’s pandemic world. Mankind has been able to get rid of diseases, such as smallpox by running massive campaigns of individual vaccination. I hope we can do the same with Digital Identity.
It is high time to start brushing your teeth.